-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disabled optional weak dependencies end up in Cargo.lock
#10801
Comments
Note that this bug also affects the output of the metadata subcommand, but not the tree subcommand. Weak dependencies are resolved in the |
cargo metadata resolves all dependencies even ones that are disabled (known as weak dependencies) which cargo build doesn't do (see issue rust-lang/cargo#10801). These unresolved dependencies require network access to load their package metadata. As the `--frozen` flag itself blocks network access (in addition to blocking changes to the Cargo.lock) too, we need to remove both the `--frozen` and `--offline` flags. Doing this allows cargo the change the `Cargo.lock` though, which is undesirable (as we're in the process of building the same dependencies that rely on the `Cargo.lock` in the first place).
I believe I am running into this with target-specific dependencies:
I noticed this when there was a version conflict (since I already had the dependency in the lock file from another dependency). |
cargo metadata resolves all dependencies even ones that are disabled (known as weak dependencies) which cargo build doesn't do (see issue rust-lang/cargo#10801). These unresolved dependencies require network access to load their package metadata. As the `--frozen` flag itself blocks network access (in addition to blocking changes to the Cargo.lock) too, we need to remove both the `--frozen` and `--offline` flags. Doing this allows cargo the change the `Cargo.lock` though, which is undesirable (as we're in the process of building the same dependencies that rely on the `Cargo.lock` in the first place).
I'm not sure but I think I ran into this issue in: I found it unexpected that |
I've noticed this as well when |
@ljedrz that behavior is expected. If you're talking about It's the same reason |
@lopopolo indeed, it's that dependency; however, since I'm not building on an applicable target, I'd expect it to not show up in my lockfile just as much as if it were an optional (and disabled) dependency. |
Most of the new dependencies are false positive and are not actually required, but are false dependencies due to a Cargo bug. rust-lang/cargo#10801
A note: this adds serde to the lockfile, but it is not actually used. This is caused by rust-lang/cargo#10801.
This also happens with sea-orm which pulls chrono and time when you use the |
I believe this is a known limitation of the lock file generation that is intended to be improved eventually. From #5655 (comment),
While #5133 mentions From #7058 (comment),
|
This only applies to the root crate (the one you are working on) but not the dependencies. When you depend on Cargo.toml[package]
name = "foobar"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
serde = "1.0.147" Cargo.lock# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3
[[package]]
name = "foobar"
version = "0.1.0"
dependencies = [
"serde",
]
[[package]]
name = "serde"
version = "1.0.147"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d193d69bae983fc11a79df82342761dfbf28a99fc8d203dca4c3c1b590948965"
This issue is not comparable to platform dependent In my original posts in the |
I understand what you mean with weak features now. I'll see if I can find anything mentioned in the past.
Apologies for any confusion, I forgot to add an @ mention to the platform specific part of my comment, which was meant to be in response to @ljedrz #10801 (comment)
|
The issue with platforms should be be a separate issue, this is really for the issue where a dependency is truly never used but still included. Let's keep it on topic 👍 |
Indeed, I linked to those earlier in #10801 (comment) so that related discussion can move there. |
Cargo.lock
Cargo.lock
Cargo.lock
Cargo.lock
Cargo.lock
Cargo.lock
Soo... ring isn't in my 'cargo tree', but it is still trying and failing to compile. I think this bug has worsened. |
@lilith Optional dependencies shouldn't compile if not activated. It might be something enabling |
The Firefox WebGPU team is running into this issue transitively because of CC @jimb. |
Would that be a bug to fix in |
@epage We've presented this to the cargo vet maintainers, and they said:
|
There are a lot of tools that depend on |
As explained in my (failed) PR #11938, cargo has two resolvers, and only one of the two has this problem. The other resolver doesn't. I wonder if one could add a mode to |
Problem
Lets say I have two crates, with these contents of
Cargo.toml
. The Rust code does not matter here.As you can see,
bar
depends onfoo
and enables theserialization
feature, but it does not enable thetime
nor thechrono
feature.This results in the following
bar/Cargo.lock
file:bar/Cargo.lock
The relevant snippet is at the end:
Here the dependency
time
is declared, even though it is an optional dependency and nothing enabled the corresponding feature onfoo
. Thetime
dependency even hasserde
listed as one of its dependencies too.I think this is problematic in a couple of ways.
It bloats the
Cargo.lock
and makes it imply that changes are larger than they actually are. In the above example addingfoo
will also addtime
even if that is not necessary.Dependency management tools will get confused by this. I mean tools like dependabot or
cargo audit
, which use theCargo.lock
as source of truth. Since these tools will see an entry fortime
, even if it is unused, they will create pull requests or warn about security vulnerabilities which do not exists.This prevents using two crates with conflicting version requirements. You can see what happens if you uncomment the lines in
bar/Cargo.toml
.Uncommenting
time
will fail, since now two conflicting version constraints (=0.3.10
!==0.3.11
) exist.However, uncommenting
chrono
works with the conflicting versions (=0.4.18
!==0.4.19
).Steps
foo
with the above content forCargo.toml
.bar
with the above content forCargo.toml
.Cargo.lock
ofbar
contains an entry fortime
and even a transitiveserde
dependency intime
.Possible Solution(s)
Disabled optional dependencies should not be tracked in
Cargo.lock
, even if there is a weak dependency linking to it. This brings it in line with "normal" optional dependencies.Notes
While the
time
entry exists in theCargo.lock
, it appears cargo correctly ignores it when building the code. There is neither aCompiling time ...
log line nor are there any artifacts in thetarget
folder associated withtime
.I checked various issues and documentation entries, but I couldn't find if this is a bug or intended.
The tracking issue (#8832) and documentation (https://doc.rust-lang.org/nightly/cargo/reference/features.html#dependency-features) do not mention any changes in to
Cargo.lock
. Neither does the implementation PR (#8818), which does not even seem to have any lock files.Version
The text was updated successfully, but these errors were encountered: